﻿using System;
using System.Collections.Generic;
using System.Linq;
using System.IO;
using System.Web;
using System.Web.Services;
using System.Data.Sql;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using System.Text;
using System.Text.RegularExpressions;
using System.Data;
using System.Configuration;

namespace wdss.WebServices
{
    /// <summary>
    /// Summary description for RegisterService
    /// </summary>
    [WebService(Namespace = "http://tempuri.org/")]
    [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
    //[ToolboxItem(false)]
    // To allow this Web Service to be called from script, using ASP.NET AJAX, uncomment the following line. 
    // [System.Web.Script.Services.ScriptService]
    public class RegisterService : System.Web.Services.WebService
    {

        public RegisterService()
        {

            //Uncomment the following line if using designed components 
            //InitializeComponent(); 
        }

        [WebMethod]
        public bool RegisterNewUser(string emailid, string password, string confirmpassword, string request, int role, int department,string altEmail, string question, string answer)
        {
            bool safeMode = false;
            bool emailSyntaxValidation = true;
            bool sqlinjection = true;
            bool xssinjection = true;
            bool regexfiltered = false;

            string[] strFields = { emailid, password, confirmpassword };

            //sql and xss injection testing
            SQLInjectionDetectionService detectSQL = new SQLInjectionDetectionService();
            DetectXSSAttemptService detectXSS = new DetectXSSAttemptService();
            EmailSyntax emailcheck = new EmailSyntax();
            for (int i = 0; i < strFields.Length; i++)
            {
                sqlinjection = detectSQL.DetectSQL(strFields[i]);
                if (sqlinjection)
                {
                    return safeMode;
                }
            }

            for (int i = 0; i < strFields.Length; i++)
            {
                xssinjection = detectXSS.IsXSSInjection(strFields[i]);

                if (xssinjection)
                {
                    return safeMode;
                }
            }

            emailSyntaxValidation = emailcheck.VerifyEmail(emailid);
            
            if (emailSyntaxValidation.Equals(false))
            {
                return false;
            }
            emailSyntaxValidation = emailcheck.VerifyEmail(altEmail);
            if (emailSyntaxValidation.Equals(false))
            {
                return false;
            }

            bool passMatch = passwordMatch(password, confirmpassword);

            if (!passMatch)
            {
                return false;
            }

            //use html encode to prevent xss
            emailid = detectXSS.EncodeString(emailid);
            request = detectXSS.EncodeString(request);
            altEmail = detectXSS.EncodeString(altEmail);

            //if pass all these, connect to sql server
            SqlConnection connect = new SqlConnection(ConfigurationManager.ConnectionStrings["aspnetdbConnectionString"].ConnectionString);
            SqlCommand command = new SqlCommand("sp_AddNewUser", connect);
            command.CommandType = System.Data.CommandType.StoredProcedure;
            command.Parameters.Add("@par_username", System.Data.SqlDbType.NChar).Value = emailid;
            command.Parameters.Add("@par_password", System.Data.SqlDbType.NChar).Value = password;
            command.Parameters.Add("@par_request", System.Data.SqlDbType.NVarChar).Value = request;
            command.Parameters.Add("@par_department", System.Data.SqlDbType.Int).Value = department;
            command.Parameters.Add("@par_requestedrole", SqlDbType.Int).Value = role;
            command.Parameters.Add("@par_altEmail", System.Data.SqlDbType.NChar).Value = altEmail;
            command.Parameters.Add("@par_question", SqlDbType.NChar).Value = question;
            command.Parameters.Add("@par_answer", SqlDbType.NChar).Value = answer;
            SqlDataAdapter adapter = new SqlDataAdapter(command);


            DataTable user = new DataTable();

            try
            {
                connect.Open();
                command.ExecuteNonQuery();
                safeMode = true;
            }
            catch (InvalidOperationException e)
            {
                Console.WriteLine(e.StackTrace);
                return safeMode;
            }
            catch (SqlException e)
            {
                Console.WriteLine(e.StackTrace);
                return safeMode;
            }
            return safeMode;
        }

        bool passwordMatch(String password, String confirmpassword)
        {

            if (password.Length == confirmpassword.Length && password.Equals(confirmpassword))
            {
                return true;
            }
            return false;
        }
    }
}
